NVD Vulnerability Detail

CVE-2013-2071

Summary	java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.
Publication Date	June 1, 2013, 11:21 p.m.
Registration Date	Jan. 26, 2021, 3:37 p.m.
Last Update	Nov. 21, 2024, 10:50 a.m.

CVSS2.0 : LOW
Score	2.6
Vector	AV:N/AC:H/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:7.0.2:beta::::::
cpe:2.3:a:apache:tomcat:7.0.12:::::::*
cpe:2.3:a:apache:tomcat:7.0.20:::::::*
cpe:2.3:a:apache:tomcat:7.0.8:::::::*
cpe:2.3:a:apache:tomcat:7.0.1:::::::*
cpe:2.3:a:apache:tomcat:7.0.2:::::::*
cpe:2.3:a:apache:tomcat:7.0.5:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:beta::::::
cpe:2.3:a:apache:tomcat:7.0.22:::::::*
cpe:2.3:a:apache:tomcat:7.0.28:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:::::::*
cpe:2.3:a:apache:tomcat:7.0.6:::::::*
cpe:2.3:a:apache:tomcat:7.0.18:::::::*
cpe:2.3:a:apache:tomcat:7.0.14:::::::*
cpe:2.3:a:apache:tomcat:7.0.11:::::::*
cpe:2.3:a:apache:tomcat:7.0.23:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
cpe:2.3:a:apache:tomcat:7.0.7:::::::*
cpe:2.3:a:apache:tomcat:7.0.13:::::::*
cpe:2.3:a:apache:tomcat:7.0.30:::::::*
cpe:2.3:a:apache:tomcat:7.0.15:::::::*
cpe:2.3:a:apache:tomcat:7.0.19:::::::*
cpe:2.3:a:apache:tomcat:7.0.16:::::::*
cpe:2.3:a:apache:tomcat:7.0.10:::::::*
cpe:2.3:a:apache:tomcat:7.0.25:::::::*
cpe:2.3:a:apache:tomcat:7.0.32:::::::*
cpe:2.3:a:apache:tomcat:7.0.21:::::::*
cpe:2.3:a:apache:tomcat:7.0.17:::::::*
cpe:2.3:a:apache:tomcat:7.0.9:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:::::::*
cpe:2.3:a:apache:tomcat:7.0.3:::::::*

Related information, measures and tools

No	URL	タグ
1	http://archives.neohapsis.com/archives/bugtraq/2013-05/0040.html
2	http://archives.neohapsis.com/archives/bugtraq/2013-05/0040.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105855.html
4	http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105855.html
5	http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html
6	http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html
7	http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106342.html
8	http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106342.html
9	http://lists.opensuse.org/opensuse-updates/2013-08/msg00013.html
10	http://lists.opensuse.org/opensuse-updates/2013-08/msg00013.html
11	http://marc.info/?l=bugtraq&m=139344248911289&w=2
12	http://marc.info/?l=bugtraq&m=139344248911289&w=2
13	http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AsyncContextImpl.java?r1=1471372&r2=1471371&pathrev=1471372	Patch
14	http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AsyncContextImpl.java?r1=1471372&r2=1471371&pathrev=1471372	Patch
15	http://svn.apache.org/viewvc?view=revision&revision=1471372	Patch
16	http://svn.apache.org/viewvc?view=revision&revision=1471372	Patch
17	http://tomcat.apache.org/security-7.html	Vendor Advisory
18	http://tomcat.apache.org/security-7.html	Vendor Advisory
19	http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
20	http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
21	http://www.securityfocus.com/bid/59798
22	http://www.securityfocus.com/bid/59798
23	http://www.securityfocus.com/bid/64758
24	http://www.securityfocus.com/bid/64758
25	http://www.ubuntu.com/usn/USN-1841-1
26	http://www.ubuntu.com/usn/USN-1841-1
27	https://issues.apache.org/bugzilla/show_bug.cgi?id=54178	Exploit
28	https://issues.apache.org/bugzilla/show_bug.cgi?id=54178	Exploit

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-200	情報漏えい	https://cwe.mitre.org/data/definitions/200.html

JVN Vulnerability Information

Apache Tomcat の AsyncContextImpl.java における重要なリクエスト情報を取得される脆弱性

Title	Apache Tomcat の AsyncContextImpl.java における重要なリクエスト情報を取得される脆弱性
Summary	Apache Tomcat の java/org/apache/catalina/core/AsyncContextImpl.java は、アプリケーション内の AsyncListener の RuntimeException のスローを適切に処理しないため、他のアプリケーション向けの重要なリクエスト情報を取得される脆弱性が存在します。
Possible impacts	攻撃者により、プロセスのリクエストを記録するアプリケーションを介して、他のアプリケーション向けの重要なリクエスト情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 9, 2013, midnight
Registration Date	June 4, 2013, 1:55 p.m.
Last Update	Nov. 9, 2016, 4:39 p.m.

Affected System

Apache Software Foundation

Apache Tomcat 7.0.40 未満の 7.x

オラクル

Oracle Supply Chain Products Suite の Oracle Transportation Management 6.0

Oracle Supply Chain Products Suite の Oracle Transportation Management 6.1

Oracle Supply Chain Products Suite の Oracle Transportation Management 6.2

Oracle Supply Chain Products Suite の Oracle Transportation Management 6.3

Oracle Supply Chain Products Suite の Oracle Transportation Management 6.3.1

Oracle Supply Chain Products Suite の Oracle Transportation Management 6.3.2

Oracle Virtualization の Oracle Secure Global Desktop 4.71 with December 2013 PSU 未満

Oracle Virtualization の Oracle Secure Global Desktop 5.0 with December 2013 PSU 未満

日本電気

WebOTX Application Server Express V9.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-2071	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071
National Vulnerability Database (NVD)
2	CVE-2013-2071	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2071

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
Apache Bugzilla
1	Bug 54178	https://issues.apache.org/bugzilla/show_bug.cgi?id=54178
Apache Tomcat
2	security-7	http://tomcat.apache.org/security-7.html
Apache-SVN
3	Diff of /tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AsyncContextImpl.java	http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AsyncContextImpl.java?r1=1471372&r2=1471371&pathrev=1471372
4	Revision 1471372	http://svn.apache.org/viewvc?view=revision&revision=1471372
NEC製品セキュリティ情報
5	NV16-021	http://jpn.nec.com/security-info/secinfo/nv16-021.html
Oracle Critical Patch Update
6	Oracle Critical Patch Update Advisory - January 2014	http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
7	Text Form of Oracle Critical Patch Update - January 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html
SECURITY BLOG
8	January 2014 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2014_critical_patch_update

Change Log

No	Changed Details	Date of change
0	[2013年06月04日] 掲載 [2014年01月20日] 影響を受けるシステム：オラクル (Oracle Critical Patch Update Advisory - January 2014) の情報を追加ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2014 Risk Matrices) を追加ベンダ情報：オラクル (January 2014 Critical Patch Update Released) を追加 [2016年11月09日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日本電気 (NV16-021) を追加	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:7.0.2:beta::::::
cpe:2.3:a:apache:tomcat:7.0.12:::::::*
cpe:2.3:a:apache:tomcat:7.0.20:::::::*
cpe:2.3:a:apache:tomcat:7.0.8:::::::*
cpe:2.3:a:apache:tomcat:7.0.1:::::::*
cpe:2.3:a:apache:tomcat:7.0.2:::::::*
cpe:2.3:a:apache:tomcat:7.0.5:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:beta::::::
cpe:2.3:a:apache:tomcat:7.0.22:::::::*
cpe:2.3:a:apache:tomcat:7.0.28:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:::::::*
cpe:2.3:a:apache:tomcat:7.0.6:::::::*
cpe:2.3:a:apache:tomcat:7.0.18:::::::*
cpe:2.3:a:apache:tomcat:7.0.14:::::::*
cpe:2.3:a:apache:tomcat:7.0.11:::::::*
cpe:2.3:a:apache:tomcat:7.0.23:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
cpe:2.3:a:apache:tomcat:7.0.7:::::::*
cpe:2.3:a:apache:tomcat:7.0.13:::::::*
cpe:2.3:a:apache:tomcat:7.0.30:::::::*
cpe:2.3:a:apache:tomcat:7.0.15:::::::*
cpe:2.3:a:apache:tomcat:7.0.19:::::::*
cpe:2.3:a:apache:tomcat:7.0.16:::::::*
cpe:2.3:a:apache:tomcat:7.0.10:::::::*
cpe:2.3:a:apache:tomcat:7.0.25:::::::*
cpe:2.3:a:apache:tomcat:7.0.32:::::::*
cpe:2.3:a:apache:tomcat:7.0.21:::::::*
cpe:2.3:a:apache:tomcat:7.0.17:::::::*
cpe:2.3:a:apache:tomcat:7.0.9:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:::::::*
cpe:2.3:a:apache:tomcat:7.0.3:::::::*